AnsweredAssumed Answered

Same server config, different domain, different score.

Question asked by Joshua Vijsma on Dec 28, 2015
Latest reply on Dec 30, 2015 by Joshua Vijsma

Hi all,

 

After some extensive SSL testing I got my domain (vps01.jvijsma.nl) to a score of 100/100/90/100. The 90 points for Key exchange bothered me, so after getting a new domain (jvijsmavps.nl) for HSTS preloading (cannot use subdomains for that) with the same server config setup, I was surprised to see that the score was 100/100/100/100.

 

I'm trying to figure out why vps01.jvijsma.nl is not getting the full 100 for key exchange, does anybody here have a clue? Below is some server info, thanks for any input in advance.

 

Kind regards,

Joshua

 

Apache 2.4.18 config:

 

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

SSLOpenSSLConfCmd ECDHParameters secp521r1

SSLOpenSSLConfCmd Curves secp521r1:secp384r1

 

SSLCipherSuite EECDH+AES256:EDH+AES256:!DSS:!ECDSA

 

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" ### 4096-bit

SSLHonorCipherOrder     on

SSLCompression          off

SSLSessionTickets       on

SSLUseStapling          on

SSLStaplingResponderTimeout 5

SSLStaplingReturnResponderErrors off

SSLStaplingCache        shmcb:/var/run/ocsp(128000)

Outcomes